You Can Continue to Copy Users in SU01, but be Smart about it!
How does your organization create user accounts for new employees? How do you grant authorizations? Most organizations use the method of copying an existing user account, slap a new username on it using t-code SU01 and moving on. Let’s take, for example, Mr. Newman. Mr. Newman has joined the company and his job description is similar to that of Ms. Oldbane – in most organizations the system administrator will manually copy Ms. Oldbane’s user account (including all authorizations in it, both used and unused) and put Mr. Newman’s name on it.
Voila! The new user account has been created and the task is complete. As you may have guessed, that method is too easy and surely comes with its own issues. When the system administrator copied the account and authorizations, they copied ALL the authorizations. This includes those that actually pertain to Ms. Oldbane’s role, but also a few that she picked up along the way, including those she does not use and probably no longer remembers (for example, perhaps she was asked to temporarily fill a colleague’s position and received additional authorizations for the role; some of her authorizations may even be from the username that her account was copied from). Either way, this is a recipe for one big mess! So you ask yourself, is there another way? Yes, there is! So let me break it down. There are three common methods to create new users.
- Copying an existing user account – this method is certainly the easiest and quickest, but it is the least recommended. As demonstrated above, this method creates a messy situation of users who have too many unused and potentially unknown authorizations. Over time, overall authorizations in the company will simply get out of hand and the company will lose control over its employees’ authorizations. The common solution is a long, tedious and an endless “clean-up” project that has to be executed every couple of years if not taken care of.
2. Granting authorizations according to the employees job/role (with or without SAP HR/HCM support) – this method, although more time-consuming and difficult, is highly recommended. It requires a lot of preparation as well as continuous maintenance of the role catalog in the HCM module, but it ensures that people will receive authorizations according to their HR job. Putting aside the politics involved and the constant battle of trying to differentiate similar job descriptions (for example, “purchase clerk” and “senior purchasing clerk”), using this method is certainly much more effective than the first. However, large amounts of unused authorizations are still an issue, which means that the “clean-up” project is inevitable here as well. Additionally, this method also does not apply to any non-SAP application, such as Active Directory, SalesForce, Office365 and others (if you use SAP HR/HCM to maintain role catalog).
3. “Smart Copy” – the third method is similar to the first, but instead of duplicating the full user account, someone stops and thinks about which authorizations are actually required and in use. If they find that certain authorizations are not in use or are irrelevant to the new user – they will not be copied. This way, the new employee will only be granted the relevant authorizations for their job. Smart? Yes, and also a very effective way to maintain a “thin” authorization structure. The only challenge is how to know which authorizations are being used and which authorizations are dormant. This can be answered by manually digging into the SAP logs, which will inevitably consume a large chunk of your time. This method is manageable simply by automating this very process by using ProfileTailor Dynamics from Xpandion.
Now, there is one last method which makes it so easy that you would think it is too good to be true! ProfileTailor Dynamics from Xpandion can provide you with this last and very powerful process. The software grants authorizations automatically based on “Job and Business Rules” or “Reference User and Business Rules”. In short, this means that you can establish a catalog of business rules for granting authorizations in SAP and non-SAP systems. You can then create a new user on the system and simply reference an existing user or an actual job and the new username will be created with only the relevant authorizations. For example:
- A new doctor in a health clinic in Alabama will be granted permissions according to the role “doctor” (which will include being able to view patients’ cases in SAP and the creation of an email account in Microsoft Exchange). They will also be granted access to public folders on the network.
- A help desk employee that is hired to work at the company headquarters will be doing the same job as an existing employee, so they will be granted their used authorizations. In addition, they will also be granted the required authorizations for people who work at the headquarters.
Xpandion can provide you with a top-notch solution that is proven to be successful in helping companies maintain a long-term, lean, organized and effective authorization model.